P
US10587484B2ActiveUtilityPatentIndex 92

Anomaly detection and reporting in a network assurance appliance

Assignee: CISCO TECH INCPriority: Sep 12, 2017Filed: Sep 12, 2017Granted: Mar 10, 2020
Est. expirySep 12, 2037(~11.2 yrs left)· nominal 20-yr term from priority
Inventors:NAZAR SHADABMAMILLAPALLI PAVANSuleman AzeemSINGH TUR JAGDEVPANI AYAS
H04L 41/22H04L 43/04H04L 41/142H04L 43/0823
92
PatentIndex Score
34
Cited by
204
References
20
Claims

Abstract

Systems, methods, and computer-readable media for detecting and reporting anomalies in a network environment for providing network assurance. In some embodiments, a system can determine confidence scores for at least one value of parameters of a network environment defining network events occurring in the network environment. The confidences scores can indicate a frequency that the defined network events have a specific event state. The confidence scores can be monitored to detect an anomaly in the network environment. In response to detecting the anomaly in the network environment, the system can determine a relevant network state of the network environment. The relevant network state of the network environment and the anomaly in the network environment can be presented to a user.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method comprising:
 determining confidence scores for at least one value of parameters of a network environment defining network events occurring in the network environment, the confidence scores indicating a frequency that the network events defined by the at least one value of the parameters of the network environment have a specific event state, the parameters of the network environment include one or a combination of a logical hierarchy parameter of the network environment, a network hierarchy parameter of the network environment, or a physical hierarchy parameter of the network environment; 
 determining a relevant portion of the network environment based on the at least one value of the parameters of the network environment; 
 monitoring the confidence scores to detect an anomaly in the network environment; 
 identifying a relevant network state of the network environment in response to detecting the anomaly in the network environment, the relevant network state of the network environment identified based on the relevant portion of the network environment and the anomaly in the network environment; and 
 presenting the relevant network state of the network environment and the anomaly in the network environment to a user. 
 
     
     
       2. The method of  claim 1 , wherein the specific event state is a failing network event. 
     
     
       3. The method of  claim 1 , wherein the anomaly in the network environment is detected by monitoring a Gaussian distribution of the confidence scores for the at least one value of the parameters of the network environment over time. 
     
     
       4. The method of  claim 3 , wherein the anomaly in the network environment is detected based on a threshold mean and variance of the Gaussian distribution of the confidence scores for the at least one value of the parameters of the network environment over time. 
     
     
       5. The method of  claim 1 , wherein the relevant network state of the network environment is identified based on the at least one value of the parameters of the network environment defining the network events used to detect the anomaly in the network environment based on the confidence scores for the at least one value of the parameters of the network environment. 
     
     
       6. The method of  claim 1 , further comprising:
 determining a specific time the anomaly occurred in the network environment; and 
 identifying the relevant network state of the network environment in response to detecting the anomaly using the specific time the anomaly occurred in the network environment. 
 
     
     
       7. The method of  claim 6 , further comprising:
 identifying the relevant network state of the network environment by gathering characteristics of the relevant portion of the network environment at the specific time the anomaly occurred in the network environment. 
 
     
     
       8. The method of  claim 7 , wherein the at least one value of the parameters of the network environment include a value of the logical hierarchy parameter of the network environment and the characteristics of the relevant portion of the network environment are gathered from a controller for the relevant portion of the network environment identified from the value of the logical hierarchy parameter. 
     
     
       9. The method of  claim 7 , wherein the at least one value of the parameters of the network environment include a value of the physical hierarchy parameter of the network environment and the characteristics of the relevant portion of the network environment are gathered from an appliance for the relevant portion of the network identified based on the value of the physical hierarchy parameter. 
     
     
       10. The method of  claim 1 , wherein the relevant portion of the network environment includes a portion of the network environment where the anomaly occurred. 
     
     
       11. The method of  claim 1 , wherein the combination is used to determine the relevant portion of the network environment. 
     
     
       12. The method of  claim 1 , further comprising:
 correlating the anomaly of the network environment with the relevant network state of the network environment identified based on the anomaly. 
 
     
     
       13. The method of  claim 1 , wherein the anomaly of the network environment is automatically detected while the user is offline. 
     
     
       14. A system comprising:
 one or more processors; and 
 at least one computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising: 
 determining confidence scores for at least one value of parameters of a network environment defining network events occurring in the network environment, the confidence scores indicating a frequency that the network events defined by the at least one value of the parameters of the network environment have a specific event state, the parameters of the network environment include one or a combination of a logical hierarchy parameter of the network environment, a network hierarchy parameter of the network environment, or a physical hierarchy parameter of the network environment; 
 determining a relevant portion of the network environment based on the at least one value of the parameters of the network environment; 
 monitoring the confidence scores to detect an anomaly in the network environment; 
 identifying a relevant network state of the network environment in response to detecting the anomaly in the network environment, the relevant network state of the network environment identified based on the relevant portion of the network environment and the anomaly in the network environment; and 
 presenting the relevant network state of the network environment and the anomaly in the network environment to a user. 
 
     
     
       15. The system of  claim 14 , wherein the anomaly in the network environment is detected by monitoring a Gaussian distribution of the confidence scores for the at least one value of the parameters of the network environment over time. 
     
     
       16. The system of  claim 14 , wherein the operations include:
 determining a specific time the anomaly occurred in the network environment; and 
 identifying the relevant network state of the network environment in response to detecting the anomaly using the specific time the anomaly occurred in the network environment. 
 
     
     
       17. The system of  claim 14 , wherein the operations include identifying the relevant network state of the network environment by gathering characteristics of the relevant portion of the network environment at a time the anomaly occurred in the network environment. 
     
     
       18. The system of  claim 17 , wherein the relevant portion of the network environment includes a portion of the network environment where the anomaly occurred in the network environment. 
     
     
       19. The system of  claim 14  wherein the operations include correlating the anomaly of the network environment with the relevant network state of the network environment identified based on the anomaly. 
     
     
       20. A non-transitory computer-readable storage medium having stored therein instructions which, when executed by a processor, cause the processor to perform operations comprising:
 determining confidence scores for at least one value of parameters of a network environment defining network events occurring in the network environment, the confidence scores indicating a frequency that the network events defined by the at least one value of the parameters of the network environment have a specific event state, the parameters of the network environment include one or a combination of a logical hierarchy parameter of the network environment, a network hierarchy parameter of the network environment, or a physical hierarchy parameter of the network environment; 
 determining a relevant portion of the network environment based on the at least one value of the parameters of the network environment; 
 monitoring the confidence scores to detect an anomaly in the network environment; 
 identifying a relevant network state of the network environment in response to detecting the anomaly in the network environment, the relevant network state of the network environment identified based on the relevant portion of the network environment and the anomaly in the network environment; and 
 presenting the relevant network state of the network environment and the anomaly in the network environment to a user.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.